Access control via ZXTM database authentication

So you'd like to restrict service access to only users authenticated via a central database. E.g. you've got a bunch of web servers, all different vintages - some IIS, some Apache etc., and you want to secure the whole service to only 'paid-up' users in your CRM service. You can either try to reconfigure every server in your server farm, or, just do it in the traffic manager.

Our initial architecture looks something like this:

database auth1

we've got a typical setup, a heterogeneous collection of servers, grouped into pools providing a particular function of the site (static content, ASP pages, J2EE support). We'd like to move to something like the diagram below:

database auth2

In our ideal world, the traffic flow would be:

  1. Request is received by the outside world
  2. ZXTM decides this request if for a protect service, and queries an authentication service
  3. The authentication responds (allowed or denied)
  4. If allowed, ZXTM load-balances the request onto the appropriate pool

Well, this is easy with TrafficScript, just use the power of the http.request.get command. Let's implement our authentication service as a perl FastCGI script, available via a URL as http://mysite/auth.fcgi. It takes the HTTP Authorization header as an argument, and queries a MySQL database. Just like a FastCGI authorizer, it will return a HTTP status code of 200 if the user is allowed, otherwise 401, along with the authorization realm and the HTML body of the 'access denied' page.

So let's look at the TrafficScript rule:

$body = http.request.get( "http://mysite/auth.cgi/?".http.getHeader("Authorization"));
if( $1 != 200 ) { http.sendResponse( $1, $2, $body, $3 ); }

Two lines, that's pretty easy.

The clever bit is how you can take a simple pattern like this and embellish it to your particular needs. For example, the first thing you'll want to do is ensure your authentication service isn't a single point of failure. So how to solve that? Easy, use ZXTM - create a new virtual server which load-balances requests over a pool of authentication servers and "loopback" the http.request.get from ZXTM to itself! Just alter the URL to "http://localhost:<port>/...". Instant reliability and scalablity of your authentication services. Maybe you want to restrict access by time of day, or by the client's allowed IP address, or by the URL requested. You can even use TrafficScript's persistent data structures to reduce the load on your authentication servers by caching authentication responses - but that's another article...

database auth3

Damian Reeves [Zeus CTO] 01 July 2005  Permalink  
Leave a comment ...
Your email address will not be displayed.
Your URL will be displayed.
This public messageboard is not a forum for technical support. To report technical support problems, please contact our dedicated Support team using the instructions at the bottom of this page.
Options:
 
(Line breaks become <br />)
(Set cookies for name, email & url)
Download Free ZXTM Desktop Edition

Recent Articles

Other Resources



www.zeus.com

powered by
b2evolution
About this site. The ZXTM KnowledgeHub service is provided without warranty, and articles and comments may not reflect the views of Zeus Technology. For technical support queries, please contact Zeus Technical Support. Disclaimer and Privacy statement.